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(54) Event logging in a computing platform 

(57) There is disclosed a computer entity having a 
trusted component which compiles an event log for 
events occurring on a computer platform. The event log 
contains event data of types which are pre-specified by 
a user by inputting details through a dialogue display 
generated by the trusted component. Items which can 
be monitored include data files, applications drivers and 
the like. The trusted component operates through a 
monitoring agent which may be launched onto the com- 
puter platform. The monitoring agent may be periodical- 
ly interrogated to make sure that it is operating correctly 
and responding to interrogations by the trusted compo- 
nent. 




Agent obtains event data from user specified 
logical entity, eg. File, driver or application 



Agent reports event data to trusted component 
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Trusted component creates event log file 
stores received event data in trusted memory 
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form and the status of the data within the platform 
or system is dynamic and difficult to predict. It is dif- 
ficult to determine whether a computer platform is 
operating correctly because the state of the compu- 
ter platform and data on the platform is constantly s 
changing and th© computer platform Itself may be 
dynamically changing. 

• From a security point of view, commercial computer 
pts^orms, in particular client platforms, are often 10 
deployed in environments which are vulnerable to 
unauthorized modification. The main areas of vul- 
nerability include modification by software loaded 

by a user, or by software loaded via a network con- 
nection. Particularly, but not eoGdusivety, conven- is 
tional computer platforms may be vulnerable to at- 
tack by virus programs, with varying degrees of hos- 
tility. 

• Computer pla£orms may be upgraded or their ca- 20 
pabtlitles extended or restricted by physical modifi- 
cation, i.e. addition or deletion of components such 

as hard disk drives, peripheral drivers and the like. 

[0008] It is known to provide certain security features 25 
in computer systems, embedded in operating software. 
These security features are primarily aimed at providing 
division of information within a community of users of 
the system. 

[0009] In the known Microsoft Windows NT™ 4.0 op- so 
erating system, there also exists a monitoring facility 
called "system log event viewer" in which a tog of events 
occurring within the piaifoim is recorded into an event 
log data file which can be inspected by a system admin- 
istrator using the windows NT operating system soft- ss 
ware. This facility goes someway to enabling a system 
administrator to security monitor preselected events. 
The event logging function in the Windows NT™ 4.0 op- 
erating system is an example of system monitoring. 
[001 GJ However, in terms of overaJi security of a com- 40 
puter platform, a purely software based system is vul- 
nerable to attack, for example by viruses. The Microsoft 
Windows NT™ 4.0 software includes a virus guard soft- 
ware, which is preset to look for known viruses. Howev- 
er, virus strains are developing continuously, and the vi- *s 
rus guard software will not guard against unknown vi- 
ruses. 

[0011] Further, prior art monitoring systems for com- 
puter entities focus on network monitoring functions, 
where an administrator uses network management soft- so 
ware to monitor performance of a plurality of network 
computers. Also, trust in the system does not reside at 
the level of individual trust of each hardware unit of com- 
puter platform in a system. 

55 

Summary of the Invention 

[0012] Specific implementations of the present inven- 
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tion provide a computer platform having a trusted com- 
ponent which is physically and logically distinct from a 
computer platform. The trusted component has the 
properties of unforgability, and autonomy from the com- 
puter platform with which it is associated. The trusted 
component monitors the computer platform and thereby 
may provide a computer platform which is monitored on 
an individual basis m a level beneath a network moni- 
toring or system monitoring level Where a plurality of 
computer platforms are networked or included in the 
system, each computer platform may be provided with 
a separate corresponding respective trusted compo- 
nent. 

[0013] Specific implementations erf the present inven- 
tion may provide a secure method of monitoring events 
occurring on a computer platform, in a manner which is 
incorruptible by alien agents present on the computer 
platform, or by users of the computer platform, in a man- 
ner such that if any corruption of the event log takes 
place, this is immediately apparent 
[0014] , According to a first aspect of the present inven- 
tion there is provided a computer entity comprising a 
computer platform comprising a data processor and at 
least one memory device; and a trusted component, 
said trusted component comprising a data processor 
and at feast one memory device; wherein said data gpoc- 
essor and said memory of said trusted componen&are 
physically and tog^caily distinct from saiddafca processor 
and memory of said computer platform; and means*for 
monitoring a plurality of events occurring on said com- 
puter platform. 

[0015] Preferably said monitoring means composes 
a software agent operating on said computer platform, 
for monitoring at least one event occurring on said com- 
puter platform, and reporting said event to said trusted 
component. 

[0016] Said software agent may comprise a set of pro- 
gram code normally resident in said memory device of 
said trusted component, said code being transferred in- 
to said computer platform for performing monitoring 
f unctions on said computer platform. 
[0017] Preferably said trusted component comprises 
an event logging component for receiving data describ- 
ing a plurality of events occurring on said computer plat- 
form, and compiling said event data into a secure event 
data. 

[0018] Preferably said event logging component com- 
prises means for applying a chaining function to said 
event data to produce said secure event data. 
[0019] Selections of events and entities to be moni- 
tored may be selected by a user by operating a display 
interface for generating an interactive display compris- 
ing: means for selecting an entity of said computer plat- 
form to be monitored; and means for selecting at least 
one event to be monitored. 

[0020] The monitoring means may further comprise 
prediction means for predicting a future value of at least 
one selected parameter. 
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Fig. 2 illustrates schematically connectivity of se- 
lected components of the computer entity of Fig. 1 ; 

Fig. 3 illustrates schematically a hardware architec- 
ture of components of the computer entity of Fig. 1 ; 

Fig. 4 illustrates schematically an architecture of a 
trusted component comprising the computer entity 
of Fig; 1 ; 

Fig, 6 illustrates schematically a logical architecture 
of the computer entity, divided into a monitored user 
space, resident on the computer platform and a 
trusted space resident on the trusted component; 

Fig. 6 illustrates schematically components of a 
monitoring agent which monitors events occurring 
on the computer platform and reports back to the 
trusted component; 

Fig. 7 illustrates schematically logical components 
of the trusted component itself; 

Fig, 8 illustrates schematically process steps car- 
ried out for establishing a secure communication 
between the user and the trusted component by 
way of a display on a monitor device; 

Fig: 9 illustrates schematically process steps for se- 
lecting security monitoring functions using a display 
monitor; 

Fig. 10 illustrates schematically a first dialogue box 
display generated by the trusted component; 

Fig. 11 illustrates schematically a second dialogue 
box display used for entering data by a user; 

Fig. 12 illustrates schematically operations carried 
out by the monitoring agent and the trusted compo- 
nent for monitoring logical arrd/br physical entities 
such as files, applications or drivers on the compu- 
ter platform; 

Fig. 1 3 illustrates schematically process steps op- 
erated by the agent and trusted component for con- 
tinuous monitoring of specified events on the com- 
puter platform; and 

Fig. 14 illustrates schematically process steps car- 
ried out by and interaction between the monitoring 
agent and the trusted component for implementing 
the agent on the computer platform, and monitoring 
the existence and integrity of the agent on the com- 
puter platform. 



Bgattetf. Description of the Best Mode for Carrying 
Out the Invention 

[0035] There will now be described by way of example 
5 the best mode contemplated by the inventors for carry- 
ing out the invention. In the following description numer- 
ous specific details are set forth in order to provide a 
thorough understanding of the present invention. It will 
be apparent however, to one sailed in the art, that the 
10 present invention may6e practiced without limitation to 
these specific -details* In other instances, wet) known 
methods and structures have not been described in de- 
tail so as not to unnecessarily obscure the present in- 
vention. 

is [0036} In this specification, the term trusted" when 
used in relation to a physical or logical component, is 
used to mean a physical or logical component with 
which the behavior of that component is predictable and 
known. Trusted components have a high degree of re- 

20 sistance to unauthorised modification. 

[0037] In this specification, the term "computer plat- 
form 0 is used to refer to at least one data processor and 
at least one data storage means, usually but not essen- 
tially with associated communications facilities eg apiu- 

25 raiity of drivers, associated applications and data files, 
and which may be capafcte of interacting with external 
entities eg. a user or another computer entity, for exam- 
pie by means of connection to the internet, connection 
to an external network, or by having an input port capa- 

30 ble of receiving data stored on a data storage medium, 
eg a CD ROM, floppy disk, ribbon tape or the Uke.^The 
term "computer platform 0 encompasses the main data 
processing and storage facility of a computer entity 
[0038] Referring to Fig. 1 herein, there is illustrated 

35 schematically one example of a computer entity as pre- 
viously described in the applicants European patent ap- 
plication entitled Trusted Computing Platform", filed 15 
February 1 999 at the European Patent Office a copy of 
which is fiied herewith, and the entire contents of which 

*o are incorporated herein by reference. Referring to Fig. 
2 of the accompanying drawings, there is illustrated 
schematically physfeal connectivity of some of the com- 
ponents of the trusted computer entity of Fig. 1 . Refer- 
ring to Fig. 3 herein, there is illustrated schematically an 

4S architecture of the trusted computer entity of Figs. 1 and 
2, showing physical connectivity of components of the 
entity. 

[0039] In general, in the best mode described herein, 
a trusted computer entity comprises a computer plat- 

so form consisting of a first data processor, and a first mem- 
ory means, together with a trusted component which 
verifies the integrity and correct functioning of the com- 
puting platform. The trusted component comprises a 
second data processor and a second memory means, 

55 which are physioally and logically distinct from the first 
data processor and first memory means. 
[0040] In the example shown in Figs. 1 to 3 herein, 
the trusted computer entity is shown in the form of a per- 
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image data may comprise a photograph of a user The 
image data on the smart card may be unique to a person 
using the smart card. 

[0050] in the best mode herein, a user may specify a 
selected logioal or physical entity on the computer ptat- 
form, for example a file, application, driver, port, inter- 
face or the like for monitoring of events which occur on 
that entity. Two types of monitoring may be provided, 
firstly eeiftinuous monitoring over a predetermined pe- 
riod, w&teh is sot by a user tftrougtt tie trusted compo- 
nent* 3fid mmm&ty monteing for specific events which 
occur m m eni&y In particular, a user may specify a 
particular life of higjt vaiue, or of restricted Information 
content arts! apply fronte ing of that spedfted41e so that 
any interactions involving thai fife, whether aphorized 
or not, are automatically toggpd and stored hi a manner 
in which the events occurring on the fife earmot be de- 
leted; erased or corrupted, without this being immedi- 
ately apparent. 

[06511 Referring to Fig. 4 herein, there is illustrated 
sehematieai%f an internal architecture of trusted compo- 
nent 202. The trusted component comprises a proces- 
sor 400, a volstfte memory area 401 ; a nonvolatile 
memory area 402; a memory area storing native code 
403; and a memory area storing erne or a plurality of 
cryptographic te^cfens, 404> the non-volatfte memory 
401 , native code memory 408 and cryptogr^rtnc mem- 
ory 404 collectively comprising the second memory 
means hereinbefore retored to. 
[0052] Trusted component 202 comprises a physical- 
ly and logicaHy independent computing entity from the 
computer platform, in the best mode herein, the trusted 
component shares a motherboard with the computer 
platform so that the trusted component is physically 
linked to the computer platform, in the best mode, the 
trusted component is physically distinct from the com- 
puter platform, that is to say it does not exist solely as 
a sub-funetionafity of the data processor and memory 
means comprising the computer platform, birt exists 
separately as a separate physical data processor 400 
and separate physical memory area 401 , 402, 403, 404. 
By providing a physically present trusted component, 
the trusted component becomes harder to mimic or 
forge through software introduced onto the computer 
platform. Programs within the trusted component are 
pre-loaded at manufacture of the trusted component, 
and are not user configurable. The physicality of the 
trusted component, and the fact that the user compo- 
nent is not configurable by the user enables the user to 
have confidence in the inherent integrity of the trusted 
component, and therefore a high degree of 'trust" in the 
operation and presence of the trusted component on the 
computer platform. 

[0053] Referring to Fig. 5 herein, there is illustrated 
schematically a logical architecture of the computer en- 
tity 500. The logical architecture has a same basic divi- 
sion between the computer platform, and the trusted 
component, as is present with the physical architecture 



described in Figs. 1 to 3 herein. That is to say, the trusted 
component is logically distinct from the computer plat- 
form to which it is physically related. The computer entity 
comprises a user space 504 being a logical space which 
s is physically resident on the computer platform (the first 
processor and first data storage means) and a trusted 
component space 513 being a logical space which is 
physically resident on the trusted component 202. In the 
user space 504 are one or a plu*a$ty c£ tfrta&raUBS, one 
™ ore plurality of applications programsSOT, afite storage 
mm& m®; smart card reader 108; mmn sar##iterface 
305; and a software agent 5 1 1 which operates to per- 
form operations in the usfcr space and rep#n back to 
trusted component §02. The trusted GBraponeitt space 

1* tea togieai aiea based upon and physically resident in 
the trusted component, supported by the second data 
processor and second memory area of tfte trusted com- 
ponent. QontrmatiGn key device 104 inputs directly to 
the trusted component space m 3, and monitor 100 re- 

so ooivos images directly from the trusted component 
spsace 513. External to the computer entity are external 
communications networks e§#te Internet 501 , and var- 
ious local area networks, wide area networks 502 which 
are connected to the user space via the drivers 506 

25 which may ireaiucte one or more modem ports. External 
user smart card 503 inputs into smart <sifd rear 103 in 
the user space. ^ 
[0054] In the trusted component space, are resident 
the trusted component itself, displays generatetfsby^the 

30 trusted component on monitor tGO? andtconftrmsffion 
key 1 04, inputting a confirmation signal viaroonfirmalion 
key interface 306, 

[0055] Referring to Fig. 6 herein, within agent 541, 
there is provided a communications component 601 for 

55 communicating with the trusted component 202; and a 
file monitoring component 600 the purpose of which is 
to monitor events occurring on specified logical or phys- 
ical entities, eg data files, applications or drivers on the 
computer platform, within the user space. 

40 [0056] Referring to Fig. 7 herein, there is illustrated 
schematically internal components on the trusted com- 
ponent 202 resident in trusted space 513. The trusted 
component comprises a communications component 
700 tor communicating with software agent 511 in user 

45 space; a display interface component 701 which in- 
cludes a display generator for generating a plurality of 
interface displays which are displayed on monitor 100 
and interface code enabling a user of the computing en- 
tity to interact with trusted component 202; an event log- 

so ger program 702 for selecting an individual file, applica- 
tion, driver or the like on the computer platform, and 
monitor the file, application or driver and compile a log 
of events which occur on the file, application or driver; 
a plurality of cryptographic functions 703 which are used 

55 to cryptographically link the event log produced by event 
logger component 702 in a manner from which it is im- 
mediately apparent if the event log has been tampered 
with after leaving event logger 702; a set of prediction 
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described primarily in retalion to data files, application 
programs and drivers, although it win be appreciated 
that the general methods and principles described here- 
in are applicable to the general set of components and 
facilities of the computer platform. By activating the drop s 
down menu on each of selection boxes 1101-1 T03, there 
is listed a corresponding respective list of data files, driv- 
ers, or applications wfotch are present on the computer 
platform. A user may select any of these files andfor ap- 
• plteations andter drivers -by activating the pointing de- it 
vtee ©n the selected icon from the drop down menu in 
conventional manner in steps 904, 905, 906. Addition- 
ally, the event monitor menu comprises an event select 
menu 1*04. The event select menu lists a plurality of 
event types which can be monitored by the event logger is 
702 within the trusted component, for the file, applf cation 
or driver which is selected in selection boxes 1101, 
1102, 1103 respectively. Types of ©vent which can be 
monitored include events in the set file copied - the 
event of a selected ffte being copied by an application 20 
or user; file saved - the event of whether a specified file 
is saved by an application or user; file renamed - the 
event of whether a file has been renamed by an appli- 
cation or user; file opened - the event of whether a file 
is opened by an application or user; fW© overwritten - the 2s 
event of whether data within a lite ha® been overwritten; 
file read - the event of whether data in a file has been 
read by any user, application or other entity; f He modified 
- the event of whether data in a file has been modffied 
by a user, application or other entity; file printed - the 30 
event of whether a file has been sent to a print port of 
the computer entity; driver used - whether a particular 
driver has been used by any application or file; driver 
reconfigured - the event of whether a driver has been 
reconfigured; modem used - subset of the driver used 35 
event, applying to whether a modem has been used or 
not; disk drive used - the event of whether a disk drive 
has been used in any way, either written or read; appli- 
cation opened - the event of whether an application has 
been opened; and application closed - the event of 40 
whether an application has been closed. Once the user 
has selected the application, driver or file and the events 
to be monitored in dialog box 1100, the user activates 
the confirmation key 104, which is confirmed by confir- 
mation key icon 1105 visually altering, in order to acti- 45 
vate a monitoring session. A monitoring session can on- 
ly be activated by use of the dialog box 11 00, having the 
user's image 1001 from the user's smart card display 
thereon, and by independently pressing confirmation 
key 104. Display of the image 1001 on the monitor 100, so 
enables the user to have confidence that the trusted 
component is generating the dialog box. Pressing the 
confirmation key 104 by the user, which is directly input 
into trusted component 202 independently of the com- 
puter platform gives direct confirmation to the trusted ss 
component that the user, and not some other entity, e. 
g. a virus or the like is activating the monitoring session. 
[0061] The user may also specify a monitoring period 



by entering a start time and date and a stop time and 
date in data entry window 1106. Alternatively, where a 
single event on a specified entity is to be monitored, the 
user can specify monitoring of that event only by con- 
firming with pointing device 1 05 in first event only selec- 
tion box 1107. 

[Q0S2) Two modes of operation will now be described, 
in the first mode of operation, continuous evant moni- 
toring of specified entities over a user specified period 
occurs. In the second mode of operation, continuous 
monitoring of a specified entity occurs until a user spec- 
ifletfevent has&appenedi or unttla user specified period 
for monitoring that user specified event has elapsed. 
[0063] In Fig. 12 herein, there Is illustrated a proce- 
dure for continuous monitoring of a specified logical or 
physical entity over a user specified monitoring period. 
[0084] Referring to Fig. 1 2 herein, there is illustrated 
schematically process steps operated by trusted com- 
ponent 202 in response to a user input to start an event 
monitoring session as described with reference to figs. 
Bto 11 herein before. In step 1200, display interface 701 
receives commands from the user via the dialogue box- 
es which are input using pointing device 105, keyboard 
1 01 via data bus 304 and via communications interface 
700 of the trusted component . The event logger 702 in- 
structs agent 511 in user space to commence: event 
monitoring. The instructions comprising event logger 
702 are stored within a memory area resident withinf he 
trusted component 202. Additionally; event logger. 702: 
is also executed wfthin a memory area In trmtrast&d* 
component, in contrast, whilst the instructions compil- 
ing agent 511 are stored inside the trusted components 
202 in a form suitable for execution on the host proces- 
sor ie in CPU native programs area 403 of the trust com- 
ponent, agent 511 is executed within untrusted user 
space ie outside of the trusted component 202. Agent 
511 receives details of the fiJe, application and/or drivers 
to be monitored from event logger 702. In step 1200, 
agent 511 receives a series of event data from the log- 
ical entity (eg file, application or driver) specified. Such 
monitoring is a continuous process, and agent 511 may 
perform step 1200 by periodically reading a data file in 
which such event data is automatically stored by the op- 
erating system (for example in the Microsoft windows 
4.0™ operating system which contains the facility for 
logging events on a file). However, in order to maximize 
security, it is preferable the agent 511 periodically gath- 
ers event data itself by interrogating the file, application 
or driver directly to elicit a response. In step 1201, the 
collected data concerning the events of entity are report- 
ed directly to the trusted component 202, which then 
stores them in a trusted memory area in step 1202. In 
step 1203, the event logger checks whether the user 
specified predetermined monitoring period from the 
start of the event monitoring seseion has elapsed. If the 
event monitoring session period has not yet elapsed, 
event logger 702 continues to await further events on 
the specified files, applications or drivers supported by 
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dressed; a network address to which a file has been cop- 
ied, to which an application has addressed, or to which 
a driver has corresponded with. 
[Q072] The event data stored in the event log may be 
physically stored in a data fite either on the platform or 
in the trusted component The event log data is secured 
using a c*iadnin§ function, such that a first secured event 
data is used to secure a second secured event data, a 
second secured event data is used to secure a third 
event data, etc so any changes to the chain of data are 



PSTD tn a^dftten to providing the secured event log 
<te*a» the trusted eoir^nem may also compile a report 
of ©vents. The report may be displaced on monitor 1 00. 
Items which may form the content of a report include the 
events as specified in the event teg above, together with 
the falte«&*g; time of an went, dale of an event, whether 
or not a password was used, a destination of the fife it 
is copied to, a size of a fite (in megabytes), a duration a 
file or application has been open, a duration over which 
a driver has been online, a duration over which a driver 
has been used, a port which has been used, an internet 
address which has been communicated with, a network 
address which has been communicated with. 
[0074] Agent 511 performs event monitoring opera- 
tions on behalf of trusted component 202, however 
whereas trusted component 202 is resident in a trusted 
space 513, agent 51 1 must operate in the user space of 
tiie computer pialform. Because the agent 511 is in an 
inherently less secure environment than the trusted 
space 513, there is the possibility that agent 511 may 
become compromised by hostile attack to the computer 
platform through a virus or the like. The trusted compo- 
nent deals wffli the possibility of such hostile attack by 
either of two mechanisms. Firstly, in an alternative em- 
bodiment the agent 511 may be solely resident within 
trusted component 202. All operations performed by 
agent 51 1 are performed from within trusted user space 
51 3 by the monitoring code component 600 operating 
through the trusted components' communications inter- 
face 700 to collect event data. However, a disadvantage 
of this approach is that since agent 511 does not exist, 
it cannot act as a buffer between trusted component 202 
and the remaining user space 504. 
[0075] On the other hand, the code comprising agent 
51 1 can be stored within trusted space in a trusted mem- 
ory area of trusted component 202, and periodically 
"launched" into user space 504. That is to say, when a 
monitoring session is to begin, the agent can be down- 
loaded from the trusted component into the user space 
or kernel space on the computer platform, where it then 
resides, performing its continuous monitoring functions. 
In this second method, which is the best mode contem- 
plated by the inventors, to reduce the risk of any com- 
promises of agent 511 remaining undetected, the trust- 
ed component can either re-launch the complete agent 
from the secure memory area in trusted space into the 
user space at periodic intervals, and/or can periodically 



monitor the agent 511 in user space to make sure that 
it is responding correctly to periodic interrogation by the 
trusted component. 

[007S] Where the agent 511 is launched into user 
s space from its permanent residence in trusted space, 
this is effected by copying code comprising the agent 
from the trusted component onto the computer piatform. 
Where a monitoring session has a finite monitoring pe- 
riod specified by a user, the period over which the agent 
io 511 emsta in user space can to configured to coincide 
with the period of the monitoring session. That is to say 
the agent exists for the duralion of the monitoring ses- 
sion only, and otcc the mentoring session is over, the 
agent can be deleted from user/kemel space. To start a 
is new montortog session for a new set of events and/br 
entities, a new agent can be launched into user space 
for the duration of that monitoring session. 
[0077J During the monitoring session, which may ex- 
tend over a prolonged period of days or months as spec- 
20 ^ by a user, the trusted component monitors the 
agent itself periodically. 

pBTOl Referring to Fig. 14 herein, there is illustrated 
schematically process steps carried out by trusted com- 
ponent 202 and agent 511 on the computer platform for 
25 kunchingtheagent611 which is downloaded from trust- 
ed to s^ioe, aiid in wteh the transit com-.- .'.s 
portent monitors the agent 511 once set up and mnnirtg^ , 
on the computer platform. - 3 m 

10079^ In step 1 400, native code comprising theageefe 
so 511 stored in the trusted components secure nmmdry ~m 
area is downloaded onto the computer platform*&ythe 
computer platform maxim® the agent code direet^from *. 
the trusted component in step 1401. In step 1480, the >> 
data processor on the computer platform commences - •« 
55 execution of the native agent code resident in user 

space on the computer platform. The agent continues - * 
to operate as described herein before continuously in 
step 1403. Meanwhile, trusted component 202 -gen er- 
ates a nonce challenge message in step 1404 after a 
to suitable selected interval, and sends this nonce to the 
agent which receives it in step 1405. The nonce may 
comprise a random bit sequence generated by the trust- 
ed component. The purpose of the nonce is to allow the 
trusted component to check that the agent is still there 
45 and is still operating. If the nonce is not returned by the 
agent, then the trusted component knows that the agent 
has ceased to operate and/or has been compromised. 
In step 1407 the agent signs the nonce and in step 1408 
the agent sends the signed nonce back to the trusted 
so component. The trusted component receives the signed 
nonce in step 1409 and then repeats step 1404 sending 
a new nonce after a pre-selected period. If after a pre- 
determined wait period 1406, commencing when the 
nonce was sent to the agent in step 1404, the trusted 
55 component has not received a nonce returned from the 
agent, then in step 1410 the trusted component gener- 
ates an alarm signal which may result in a dispiay on 
the monitor showing that the agent 51 1 is incorrectly op- 



11 



23 



EP 1 055 990 A1 



24 



compiling said event data into secure event data. 

5. The computer entity as claimed in claim 4, wherein 
said event logging component comprises means for 
applying a chaining function to said event data to s 
produce said secure event data. 

6. The computer entity as oJaimed in daim 1 , further 
comprising a display interface tor generating an in- 
teractive dispiay comprising: 10 

means for seteBting an entity of said computer 
platform to be monitored; and 

means for selecting at least one event to be 
monitored. 

7. The computer entity as claimed in claim 1 , further 
comprising prediction means for predicting a future 
value of at least one selected parameter. 20 

8. The computer entity as claimed in claim 1 , further 
comprising a confirmation key means connected to 
said trusted component, and independent of said 
computer platform, for confirming to sard trusted 25 
component an a^horisation signal of a user. 

9. The computer entity as claimed in ctaim 1 , wherein 
logical entitles to be monitored are selected from 
the set: 30 

at least one data file; 

at least one application; 

35 

at least one driver component. 

10. A computer entity comprising: 

a computer platform having a first data proces- <o 
sor and a first memory device; and 

a trusted monitoring component comprising a 
second data processor and a second memory 
device, wherein 45 

said trusted monitoring component stores an 
agent program resident in said second memory 
area, said agent program arranged to be copied 
to said first memory area for performing func- so 
tbns on behalf of said trusted component, un- 
der control of said first data processor. 

11. A computer entity comprising: 

55 

a computer platform comprising a first data 
processor and a first memory device; 



a trusted monitoring component comprising a 
second data processor and a second memory 
device; 

a first computer program resident in said first 
memory area and operating said first data proc- 
essor, said first computer program reporting 
back events concerning operation of said com- 
puter platform to said trusted monitoring com- 
ponent; and 

a second computer program said second com- 
puter program resident in said second memory 
area of said trusted component, said second 
program operating to monitor an Integrity of 
said first program. 

1 2. The computer entity as claimed in cfaim 1 1 , wherein 
said computer program monitors an integrity of said 
first computer program by sending to said first com- 
puter program a plurality of interrogation messages, 
and monitoring a reply to said Interrogation mes- 
sages made by said first computer program. 

13. The oomputer entity as claimed in claim 12, wherein 
a said interrogation message is sent in a first format, 
and returned in a second format, wherein said sec- 
ond format is a secure format. 

14. A method of monitoring a computer platform com- 
prising a first data processor and a first memory 
means, said method comprising the steps of: 

reading event data describing events occurring 
on at least one logical or physical entity com- 
prising said computer platform; 

securing said event data in a second data 
processing means having an associated sec- 
ond memory area, said second data processing 
means, said second memory area being phys- 
ically and logically distinct from said first data 
processing means and said first memory area, 
such that said secure event data cannot be al- 
tered without such alteration being apparent. 

15. The method as claimed in claim 14, where a said 
event to be monitored is selected from the set of 
events: 

copying of a data file; 

saving a data file; 

renaming a data file; 

opening a data file; 
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